With a little know-how, most phishing scams are pretty easy to detect. This one, on the other hand, is devilishly clever and just might dupe you if you’re not careful.

The way this phish scam works is simple. Wordfence, who brought light to the scam, says the attacker creates an email address to disguise themselves as someone you know. Then they send you an email with an attachment, like a PDF or Word doc, that looks legitimate. When you click the attachment to see a preview of it, you get redirected to a Google sign-in page where you enter your credentials.

Advertisement

Here’s the trick: those attachments aren’t attachments—they’re embedded images designed to look like attachments that link out to a fake Google sign-in page. You can see an example of how real they look in Tom Scott’s tweet below.

What’s worse is everything about the fake Google sign-in page looks normal. The logo, text boxes, and tagline are all there. The only difference is in the address bar, where careful eyes will see that the page is actually a data URI with the prefix “data:text/htyml”, not a URL with the standard “https://”. But if you don’t spot it, the attackers get your information and use it to send out more of the same phish emails to your contacts.

Advertisement

Google has since updated Chrome to 56.0.2924, which makes it easier to spot fake forms like these, but it doesn’t exactly stop this type of scam dead in its tracks. And whether you use Chrome or not, it’s important to stay vigilant and keep your eyes peeled when checking email.